In the era of the Internet of Things, and with the proliferation of many different types of human interface devices and user agents, users may desire to shift a session between devices in a seamless manner. For example, a user may have a smart phone, a tablet computing device, an Internet-enabled television, a home voice assistant and one or more Internet-of-Things-enabled appliances in his or her home. The user may want all such devices to log in to a single account at the same time, and operate together as part of a single session.
This is not easily possible with current technologies, as web sessions are currently isolated by user agents. For example, when a user initiates a web browsing session, the Hypertext Transfer Protocol (HTTP) used is mostly stateless and treats each request as an independent transaction that is unrelated to any previous request. Thus, the user must be authenticated to each device as the user switches between devices. This can lead to a poor user experience, especially on mobile devices with small user interfaces in which entry of a passcode can be difficult.
In the prior art, to maintain a stateful session using the HTTP protocol, authentication cookies are commonly used. Authentication cookies are used by web servers to determine whether the user of a particular device is logged in to a session or not, and to identify the account with which the user has been logged in. However, a cookie is not useful for maintaining a session across multiple devices or multiple hosted services.
In addition, in some cases a user may wish to establish or rejoin a session on a device that is not personal to the user. Examples of such devices include public computers in libraries or hotel business centers. However, to preserve the security of the user's account the user may not wish to enter his or her passcode into a public computer.
This document describes methods and systems for securely maintaining a user session across multiple devices.